Table of Contents

FIREWALL AUDIT WORK PROGRAM: SAMPLE 1................................................................................................. 2

FIREWALL AUDIT WORK PROGRAM: SAMPLE 2................................................................................................. 8

1
1 Source: www.knowledgeleader.com
 FIREWALL AUDIT WORK PROGRAM: SAMPLE 1

PROJECT TEAM (LIST MEMBERS)

Project Timing Date Comments

Planning

Fieldwork

Report Issuance (Local)

Report Issuance (Worldwide)

AUDIT OBJECTIVES

Time Project Work Step Initial Index

Documentation

Obtain network diagrams illustrating firewall connections and segmentation on

the network.
Test Step: Obtain network diagrams from the network administrator to gain an
understanding of the network environment.

Determine if the expectations/goals/strategies of the firewall have been identified

and are sound.
Test Step: Meet with the systems manager to define the functional purpose of
each firewall. Verify that the firewalls have been configured to match their
functional purpose.

Logical Access

Ensure that logical access to the various components (routers, firewall software,
etc.) of the firewall solution is appropriately restricted to the individuals with
authorized need for such access.
Test Step: Obtain a list of individuals who have access to change configurations
to routers and firewalls.

Ensure that justifications for firewall rules are documented to identify the purpose
of the rules.
Test Step: Obtain firewall rule sets and review for appropriate rule justification
and purpose.

Determine if password management features are in place for applicable firewall

components and the shadow password file (security/password/etc.) is used.
• Password management guidelines exist.
• Passwords are required.

2
2 Source: www.knowledgeleader.com
 Time Project Work Step Initial Index

• Passwords are not displayed.

• Passwords are user maintainable.
• Password parameters comply with defined standards.
• Login attempts are limited to three and the account is then locked.
• Login failures are logged.
• User IDs and passwords are encrypted across the network.
• An automatic timeout feature exists.
Test Step: Obtain password policies and systematic password guidelines from
the systems manager. Verify the following:
• Password management guidelines exist.
• Passwords are required.
• Passwords are not displayed.
• Passwords are user maintainable.
• Login attempts are limited to three and the account is then locked.
• Login failures are logged.
• User IDs and passwords are encrypted across the network.
• An automatic timeout feature exists.

Determine if logical connections to the firewall components are secured (e.g.,

encryption, Internet Protocol [IP] restrictions for remote administration needs).
Products such as secure sockets layer (SSL) encryption connection and
transport control protocol (TCP) wrappers (IP restrictions) may be appropriate.
Test Step: Meet with firewall administrators and verify that logical firewall
connections are adequately secured.

Review for dial-in access directly to the firewall server.

• Determine if remote connections are automatically disconnected by the
system after a specified length of time of inactivity or if the connection is
broken.
• Only appropriate users have access to dial-in access to the firewall.
• Appropriate individuals authorize dial-in access.
• Access request forms exist to document approval of dial-in access.
• Secure protocols are utilized when users are logging into firewalls remotely.
• The use of dial-in access is logged and reviewed by management.
Test Steps:
• Meet with the systems manager to determine which users can dial into the
firewall servers.
• Verify that:
− Remote connections are disconnected after an appropriate period of
inactivity.
− Individuals with dial-in access are appropriate for job functions.
− Dial-in access is documented in the access control form.

3
3 Source: www.knowledgeleader.com
 Time Project Work Step Initial Index

− Appropriate security measures are in place when users dial in to firewalls.

− Dial-in access is logged and reviewed by management.

Configuration

The firewall configuration in place provides for an adequately maintained and

effective firewall.
Test Steps:
• Obtain firewall configurations from firewall administrators.
• Review configurations to verify the effectiveness of firewalls.

Firewall component logical/physical locations agree with the firewall strategy.

Test Step: Review configurations to verify that the firewall is configured in a
manner that is consistent with its strategy.

Firewall components are on an appropriate version and security patches are kept
up to date as vulnerabilities and business reasons dictate.
• A patch ID equates to a certain level of applied patches.
• Available patch updates are monitored and applied, as necessary.
• Active services running on the firewall servers are appropriate.
• Only justified startup scripts are being utilized.
• An appropriate banner is presented during file transport protocol (FTP)
access.
• All server accounts are individual accounts, and any use of an administrator
account is not initiated directly.
Test Step: Meet with a manager and firewall administrators and inquire about
the patch management process and updates of firewalls.
• Obtain a list of available services of the firewall and review it for
reasonableness.
• Obtain and review the startup script for reasonableness.
• Verify that the banner presented during FTP use is appropriate.
• Verify that generic system accounts are not being used.

Operating Systems Logs

Obtain the firewall operating system configuration for rejecting and logging
activities. Review to determine that the following system activities are logged:
• Login (unsuccessful and successful)
• Logout (successful)
• Use of privileged commands (unsuccessful and successful)
• Application and session initiation (unsuccessful and successful)
• Use of print command (unsuccessful and successful
• Control permission modification for users and security parameters
(unsuccessful and successful)

4
4 Source: www.knowledgeleader.com
 Time Project Work Step Initial Index

• Unauthorized access attempts to files (unsuccessful)

• System startup and shutdown (unsuccessful and successful) and if the
connection is broken
• All system logging and email isolated to its own partition
• All attempts to gain root/administrator access
• All dropped packets, denied connections and rejected attempts
• Time, protocol and username for successful connections through the firewall
• IP addresses
• Error messages from routers, bastion host and proxying programs
For events that are logged, the log parameter to record all the information is
activated.
Test Steps:
• Obtain logs from the firewall administrators.
• Review the logs to verify the following items are logged:
− Login (unsuccessful and successful)
− Logout (successful)
− Use of privileged commands (unsuccessful and successful)
− Application and session initiation (unsuccessful and successful)
− Use of print command (unsuccessful and successful)
− Control permission modification for users and security parameters
(unsuccessful and successful)
− Unauthorized access attempts to files (unsuccessful)
− System startup and shutdown (unsuccessful and successful) and if the
connection is broken
− All system logging and email isolated to its own partition
− All attempts to gain root/administrator access
− All dropped packets, denied connections and rejected attempts
− Time, protocol and username for successful connections through the
firewall
− IP addresses
− Error messages from routers, bastion host and proxying programs

Documented logging results are monitored, and follow-up actions are performed.
Test Step: Meet with a manager and a firewall administrator and inquire about
the monitoring of logs and the incident response, if needed.

System and firewall logs are rotated to reduce disk space problems. Rotation
should be automatic. Document the retention period.
Test Step: Meet with the systems manager and inquire about the retention of
firewall logs.

When ports or services are needed to administer the firewall and rules exist that
limit what source IP addresses can connect to them.
Test Steps:

5
5 Source: www.knowledgeleader.com
 Time Project Work Step Initial Index

• Meet with the systems manager and firewall administrators and inquire about
IP restriction rules.
• Inspect firewall rules for the definition of restricted IP addresses.

Firewall Test

Attempt to port scan the firewall from both the internal network and the Internet,
scanning for Internet control message protocol (ICMP), user datagram protocol
(UDP) and TCP. There should be no open ports and the firewall should not be
able to be pinged.
Test Step: Attempt to port scan the firewall from both the internal network and
the Internet, scanning for ICMP, UDP and TCP. There should be no open ports
and the firewall should not be able to be pinged.

A lockdown rule has been placed at the beginning of the rule base. The lockdown
rule protects the firewall, ensuring that whatever other rules you put in later will
not inadvertently compromise your firewall. If administrative access is required,
then a rule should be placed before the lockdown rule. All other rules should go
after the lockdown rule going from most restrictive to general rules. Review the
remaining rules.
Test Steps:
• Obtain the IS router and firewall standard from (Name). Review the policy to
verify the reasonableness of baseline firewall rules.
• Review the rule set to verify the appropriate use of a lockdown rule.

Obtain and review the connections table for timeout limits and the number of
connections.
• Timeout should be no longer than X minutes (X seconds).
• The firewall's automatic notification alerting features are utilized and
information about the breach/intruder is archived for analysis.
Test Steps:
• Obtain firewall configurations from the firewall administrators.
• Review the configurations and verify:
− Connections time out after an appropriate length of time.
− Connection tables are properly set.
− Automatic notifications are enabled in the event of a security breach.

Application Logs

Separate partitioning for the firewall logging is considered. This may be in the
form of a separate partition on the same server, a second server drive, mirroring
to the disaster recovery site or a centralized logging facility.
Test Step: Meet with the systems manager and firewall administrators and
inquire about the location of where the logs are stored.

Physical Security

Physical access to the various components (routers, firewall software, etc.) of the
firewall solution is appropriately restricted to individuals with an authorized need

6
6 Source: www.knowledgeleader.com
 Time Project Work Step Initial Index

for access.
• Lines connected to the firewall hardware are reasonable.
− Obtain a schematic of the lines connected to the applicable firewall
hardware.
− Discuss with the appropriate staff the purpose of each line.
Test Steps:
• Meet with the systems manager and firewall administrators and verify that all
firewalls are physically inside of a data center.
• Inspect the firewall network diagrams to verify that the connected lines are
appropriate.

Continuity of Operations

Fault tolerance (e.g., mirroring of data) has been implemented for the firewall
server.
Redundant components are installed where critical failure points exist, or spare
parts should be on site.
• Use the hardware and software configuration information to identify hardware
and software in place, which provides redundancy and backup.
If single points of failure exist, plans exist to address the situation(s).
Obtain and review a schedule of the retention periods for the firewall's software
components and a schedule of the rotation cycle of the firewall's software.
The disaster recovery plan includes the firewall server.
Test Steps:
• Meet with the systems manager and firewall administrators and discuss the
failover and point of failure strategies of the firewalls.
• Discuss the life expectancy of the firewall software.
• Verify that the disaster recovery plan takes firewalls into account.

7
7 Source: www.knowledgeleader.com
 FIREWALL AUDIT WORK PROGRAM: SAMPLE 2

PROJECT TEAM (LIST MEMBERS):

Project Timing Date Comments

Planning

Fieldwork

Report Issuance

Time Project Work Step Initial Index

Internet and Firewall Configuration Security

Control Objective: The connection to an external network, such as the

Internet, is secured with an application gateway firewall and the firewall is
properly configured to secure Internet traffic.

Using the network diagram as a guide, observe the physical connections

between the various components, noting proper labeling of all physical
connections and consistency of physical connections within the diagram.
Investigate any connections that link portions of the firewall network to
networks or links not documented in the network diagram.
• Determine whether the firewall has only two network interfaces – the link to
the external network and the link to the internal network.
• Determine whether the router that connects to the internet has only two
interfaces – one that connects to the internet service provider and a second
that connects directly to the firewall or one that connects to the sacrificial
network outside of the firewall.
• For all systems (web server, DNS server, router, firewall) on the sacrificial
network, determine that each component has no links to any other parts of
the internal network or other networks.
• Determine if any devices other than the firewalls and routers tested under
Steps A and B above connect directly to the internet.
• Review the router configuration file for the router that connects to the
internet service provider. Determine whether adequate filters are in place to
detect and drop incoming services that are not authorized to be used on any
of the components located on the sacrificial network. Ensure that traffic that
should only connect to the DMZ (ex: HTTP requests to web host) is not
allowed to be routed to the firewall.

Ensure that the application gateway firewalls host operating system (usually
Unix) has been properly modified to disable services that could be used to
subvert the security of the firewall software program:
• Review start-up files to ensure that all standard network services have been
disabled by commenting out their entries.

8
8 Source: www.knowledgeleader.com
 Time Project Work Step Initial Index

• Execute the command at the firewall operating system prompt and review
the output (it should show no routes available) to ensure that IP datagram
routing has been disabled in the operating system kernel.
• Review the content to ensure that they are empty or do not exist on the
system.
• Review the/etc/passwd file to ensure that only the root account and one
firewall administration account are active (not including log-in-disabled
system accounts, bin, wheel, etc.). Assess controls (passwords, logging and
review) overuse of these accounts.
• Review the directory structure to ensure that no other application programs,
language compilers, interpreters or other utilities are loaded on the system.

Review the configuration of the firewall software. Often, a configuration file can
be printed out and reviewed.
• Identify all supported and active network application proxies along with the
indication of where connections may be initiated. (This may be noted as
“trusted network” for connections initiated from the internal network and
“untrusted network” for connections initiated from the external network–the
internet.) Compare this to the internet policy description of authorized
services. Investigate any deviations from the policy. Further, ensure that the
firewall is not configured to automatically trust any outside network.
• For all proxies that allow network connections to be initiated from the
Internet (telnet, FTP, etc.), ensure that strong password authentication
controls are implemented (challenge-response, encryption) or that third-
party security schemes have been implemented (SecureID and S/key).
• For all proxies that allow network connections to be initiated from the
internet, there should normally be restrictions (based on IP addresses or
host names) on the source of such connections and the systems on the
internal network that an internet user may access. Assess the need for
these restrictions and review the configuration of such access controls.
• Review the firewall documentation to ensure that the IP source routing
functionality is disabled in the firewall product.
• Review ID and password controls – authorizations for IDs, password format
and aging controls.
• Review and assess the use of groups to assign services and access
capabilities to users.
• For generic proxy programs that may be in use, review the port number and
IP source and destination restrictions to ensure that they are correctly
designed to restrict this traffic. Assess the need for and implementation of
compensating controls, such as router filters.
• For each proxy, determine that adequate logging mechanisms have been
activated and that logs are reviewed timely. Further, determine who has
access to the logs and ensure that this access is appropriate.
• Review port settings and ensure that all unused ports are disabled. Further,
any active ports must have Cisco Discovery Protocol (CDP), trunking and
spanning tree explicitly disabled.
• Determine whether audit alerts have been adequately designed to alert
management in real-time security events that require prompt attention
(alerts such as spam traps, email messages, pagers, etc.).

9
9 Source: www.knowledgeleader.com
 Time Project Work Step Initial Index

• Identify and assess the appropriateness of administrators’ access to view

and modify the firewall configuration.
• Review the firewall configuration file and determine if any generic accounts
have access to the firewall. If generic accounts are identified, verify that the
passwords for the accounts are encrypted and that the accounts are
documented in a generic account listing noting the business reasons for
retaining the accounts and the users with knowledge of the passwords.

Review the configuration of the firewall access control lists (ACL).

• Identify and assess the appropriateness of administrators’ access to view
and modify the ACL.
• Determine if the ACL implements a “deny all” strategy, only allowing specific
IP addresses to send and receive information. Review the list of IP
addresses allowed and ensure that they are appropriate.
• Ensure that the first rule of the ACL denies traffic coming into the internal
network, which has an internal source IP address.

Determine all remote access mechanisms that are allowed through the firewall.
Ensure that anonymous FTP access is not allowed through the firewall.
• Ensure that the firewall is configured to log off idle user sessions after a set
timeout period.

Determine if security levels are assigned to firewall perimeter interfaces that

indicate levels of sensitivity. Ensure that the settings are appropriate.

Ensure that internet control message protocol (ICMP) packets are controlled
inbound and outbound on the firewall.

Ensure that the IP frag guard protects the firewall from IP fragmentation
attacks.

Ensure that RIP or OSPF is disabled so that the firewall does not accept any IP
routing table updates.

Ensure that the SNMP community string on the router has been changed from
public to a password key value.

Ensure that Mail Guard is enabled in the firewall to provide a safe conduit for
simple mail transfer protocol (SMTP) connections from the outside to an inside
electronic mail server.

Determine if ActiveX content is blocked by the firewall.

Determine what mechanisms are used to protect against external IP spoofing.

Internet and Firewall Configuration Change Management

Control Objective: Firewall change management procedures are appropriate

to prevent incomplete, unintended or unauthorized changes to the firewall
and/or other critical network devices.

Review the configuration change log (many firewall products support this) and
investigate a sample of changes from the population with the administrator to

10
10 Source: www.knowledgeleader.com
 Time Project Work Step Initial Index

ensure that they are authorized changes.

Determine the process of how software upgrades and security patches are
applied to firewalls and routers. Further, determine how administrators are
notified of available updates.

Determine if a process exists to back up the firewall configuration regularly.

Determine if a backup firewall exists and is configured to be deployed if the

primary firewall fails.

Network Monitoring and Intrusion Detection

Control Objective: Network traffic is monitored to detect availability issues or

security events.

Determine if a third-party service is used for intrusion prevention and intrusion

detection services to monitor internet and wide area network traffic for security
events such as the denial of service attacks. Obtain a sample notification and
verify that an IT ticket was created for any necessary changes.

Determine if the network is monitored to detect issues such as availability, high

CPU utilization or system errors.

Firewall Vulnerability Assessment

Control Objective: The firewall is configured properly to prevent unauthorized

security breaches.

Ensure that third-party penetration tests were performed. Review the testing
results and determine if vulnerabilities were discovered. Follow up with IT
management to determine what action plans were implemented to remediate
the vulnerabilities if any.

11
11 Source: www.knowledgeleader.com